Healthcare information security

Healthcare Hacking

Daniel Dimov
May 24, 2016 by
Daniel Dimov

Introduction

The use of digital technology in the healthcare sector is growing significantly. Acute care hospitals, health insurance companies, private sector enterprises, health agencies, and other healthcare system actors rely on computer systems for a variety of purposes, including the provision of medical care, administrative management, disease prevention, and emergency response. However, due to their digital nature, patients' digital records pose risks to the privacy and the lives of individuals whose data is included in the records. As Suzanne Schwartz of the U.S Food and Drug Administration points out: "All medical devices that use software and are connected to hospital and healthcare organizations' networks have vulnerabilities".

The purpose of this article is to raise information security awareness about threats to privacy and security of digital healthcare information. More specifically, this article will discuss popular hacking techniques used for gaining unauthorized access to medical records (Section 2), the market for hacked medical records (Section 3), and the unlawful use of hacked medical records (Section 4). Finally, a conclusion is provided (Section 5).

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Hacking techniques used for gaining unauthorized access to medical records

Thousands of medical records containing patients' confidential information are compromised every year. The U.S. Department of Health and Human Services maintains an official list of reported information security breaches affecting 500 or more individuals within the healthcare sector. The list indicates that U.S. medical institutions suffered from 89 cyber-attacks within the time period January - May 2016. The cyber-attacks resulted in thefts, unauthorized access, and hacking of digital records. The techniques used by cyber criminals for unlawful access of medical records do not particularly differ from the methods used for committing crimes in other sectors. Below, we will briefly overview four popular hacking techniques used for gaining unauthorized access to medical records, namely, phishing (Section 2.1), exploitation of software bugs (Section 2.2), distribution of malware (Section 2.3), and dictionary attacks (Section 2.4).

Phishing

Even the most comprehensive information security measures can be bypassed by using phishing, i.e., a fraudulent technique whereby an attacker imitates a trustworthy source with the aim to collect sensitive data from an unsuspecting individual. Phishing attacks are usually committed through sending an email from a familiar source that requests clicking on a specific link or providing authentication credentials. By way of illustration, on 9th of October 2015, Middlesex Hospital in Connecticut discovered an information security breach. The attacker was granted access to digital health records of 946 patients. After investigating the matter, the hospital revealed that the attack was conducted by using phishing. More specifically, phishing emails were sent to a large number of hospital employees, four of which responded to the phishing emails.

[cta id="1464193080809" post="35746"]

 

Exploitation of software bugs

Many health care systems and equipment use computer software for performing various functions, including life-saving operations. The information security of such systems is of paramount importance not only for patients' privacy but also for their life. However, information security studies reveal that the health care sector does not use up-to-date information security solutions. According to Scott Erven, associate director at the consulting firm Protiviti, the health sector is "10 to 15 years" behind the retail sector when it comes to information security. Mr. Erven and another security researcher found 30 security vulnerabilities in various health care systems, including cardiology systems, infusion systems, and MRI machines. Some of the vulnerabilities were well-known to hackers, e.g., the security vulnerability MS08-067, which allows hackers to gain unauthorized access to a network. MS08-067 was used previously by the Conficker worm, malware targeting Microsoft Windows operational system.

Distribution of malware

Hackers may install malware on networks of health care institutions not only by phishing but also by distributing malicious software in the computer network of a healthcare institution. Malware in computer networks and equipment can be spread either through pre-installation by a manufacturer or by a third-party (e.g., a cyber attacker).

In the healthcare sector, hackers often use ransomware malware, i.e., a form of malware designed to paralyze hostage data on malware-infected systems until the targeted healthcare organization pays the attacker a monetary sum. The use of ransomware malware is a popular hacking method for extorting money from health organizations.

Dictionary attacks

The major part of computer systems that manage digital medical records use password authentication. Therefore, information security issues associated with improper password use (e.g., weak password composition and irresponsible storage) can cause a significant threat to healthcare computer systems. The term "dictionary attack" refers to a cyber-attack in which the attacker systematically enters every word in a dictionary as a password. The following passwords are susceptible to dictionary attacks: (1) short passwords; (2) passwords that do not use a combination of upper and lower cases, alpha characters, and special symbols; and (3) passwords that resemble regular everyday words.

Market for medical records

Medical records stored digitally contain a lot of important and confidential information, such as patients' social security and bank account numbers, birth dates, addresses, physical descriptions, insurance information. Such data can be processed for different unlawful purposes, including falsifying prescriptions and receiving fraudulent tax credits. Unsurprisingly, on the black market, the prices of unlawfully obtained medical records are relatively high. FBI and various security experts report that a single medical record in the "dark Web" is worth much more than person's credit card information, namely, about USD 10 - 50, due to the fact that the stolen medical information cannot be "blocked." Hacked health credentials are sold in shadowy specialized online marketplaces that serve communities of scammers and hackers. Due to the illegal nature of such websites, they are not easily available for regular Internet users. In order to gain access to markets for health care records, potential buyers and sellers are often required to pay a fee. Moreover, in order to protect such online marketplaces from being tracked and shut down by law enforcement agencies, black market operators may conceal their activities by using special software which makes the marketplaces invisible for the search engines.

Black markets for selling personal data, including medical credentials, are categorized into two types, namely, storefronts and bulletin boards. The storefronts resemble regular online shops. Although such websites provide basic infrastructure for transactions (e.g., customizing search criteria, promoting goods, and accepting payments), the actual negotiations between sellers and customers take place in chat rooms. The payments accepted in storefronts include payments with digital currencies (e.g., Bitcoin) and Western Union transfers.
The other type of personal information marketplaces operating within the "dark Web" are bulletin boards. Such websites allow users not only to purchase and sell stolen personal credentials but also to share and trade hacking techniques. To access highly camouflaged bulletin boards, prospective community members have to undergo a verification procedure and fulfill a number of requirements, such as depositing an amount of money into the system, providing proof of possession of a big amount of personal data, or passing website cracking exams for ensuring a high level of hacking skills.

Unlawful use of hacked medical records

Due to specific characteristics of digital medical records, such as a large amount of personal information and the absence of a possibility to "block" this information from reuse, stolen medical records can be used for a spectrum of illicit activities. For instance, digital medical data can be used by fraudsters for committing identity thefts, financial crimes, and blackmailing. Below, we will discuss four common unlawful activities that may be conducted by using personal information obtained from stolen digital medical records, namely, identity theft (Section 4.1), obtaining a ransom (Section 4.2), tax return scams (Section 4.3), and espionage (Section 4.4).

Identity theft

Unlawfully obtained medical data can be used for obtaining drugs, treatment, and medical equipment. Medical identity fraud is difficult to detect in its early stage. For reputational reasons, medical organizations that experience security breaches rarely inform their customers in a timely manner. Therefore, victims of identity theft may learn about the unlawful use of their personal information only after they get unexpected bills for medical goods and services. Medical Identity Fraud Alliance (MIFA), an organization that raises awareness about the issue, indicates that it takes averagely three months for victims to learn that their medical records have been compromised.

Victims of medical identity theft experience significant financial losses. The Fifth Annual Study on Medical Identity Theft (2015) issued by the MIFA states that victims of medical frauds have to pay averagely $13.500 for resolving a crime, i.e., paying healthcare providers for fraudulent claims and correcting inaccuracies in their health records. The process of correcting unlawfully modified health records is a complex, long, and expensive process which is highly regulated by medical-privacy laws.

Obtaining a ransom

Information security breaches that target patients' medical records can significantly affect the reputation of hacked medical organizations. Knowing this, hackers often attempt to obtain a ransom from wealthy healthcare organizations. For example, in 2016, a hospital in Hollywood paid a ransom of USD 17.000 in Bitcoins to a group of hackers in exchange for restoring its malware-affected computer network. According to the management of the hospital, paying the ransom was the easiest and quickest way to restore hospital's system. Similarly, a family medical center in Australia was required to pay AUD 4.000 to hackers for gaining access to personal information collected by the center.

Tax return scams

Personal information in medical records, such as social security numbers, addresses, phone numbers, and employment history, can be used for submitting fraudulent applications for tax returns. The electronic U.S. tax return system employs outdated fraud detection and user authentication mechanisms that allow scammers to obtain immense amounts of money every year. The U.S. Internal Revenue Service (IRS) estimates that this year, the country will lose USD 21 billion due to false tax returns. Since the only three personal items that are required for filing an electronic tax return in the U.S. are (1) user's name, (2) date of birth, and (3) social security number, hacked medical records purchased on the "dark Web" can easily provide such data.

Espionage

Although healthcare hacking is considered to be a specialty of thieves in Eastern Europe, some of the major health care cyber-attacks are attributed to hackers engaged in espionage. For example, the news agency Reuters has recently stated that the following three cyber-attacks may be economic espionage attempts originating in China: (1) the attack against U.S. Office of Personnel Management; (2) the attack against the health insurance company Anthem Inc.; and (3) the attack against healthcare service provider Premera Blue Cross. Such assumptions are based on the fact that none of the stolen records were offered for sale on the black market or used for committing other financial crimes. The obtained confidential information contains a large amount of data that can be of interest to other governments, e.g., data related to the development of medical technologies and pharmaceutical manufacturing.

Conclusion

Technological innovations and a large-scale digitization inevitably affect healthcare industries around the world. In order to provide modern, up-to-date, and easily communicable services, major actors in the healthcare sector rely on computer systems. Since patients' medical records, financial information, health insurance data, treatment history, and other data are stored in digital format, an insufficient protection of such records can result in serious information security breaches, resulting in significant reputational and financial losses. Moreover, hacked medical devices can pose a significant threat to the availability of emergency care and the quality of provided medical services. Therefore, in order to prevent healthcare breaches, it is of utmost importance for health care organizations to recognize the need to: (1) raise information security awareness amongst the personnel dealing with health care data; and (2) implement up-to-date information security measures aiming to prevent health care hacks.

Sources

Armour, S., 'How Identity Theft Sticks You With Hospital Bills', The Wall Street Journal, 7 August 2015. Available at
http://www.wsj.com/articles/how-identity-theft-sticks-you-with-hospital-bills-1438966007
.

'Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information', U.S. Department of Health and Human Services Office for Civil Rights. Available at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=003DC8758355A8A57FFCC4F546F4A2F0.worker1 .

FBI Cyber Division, 'Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain', The American Hospital Association, 8 April 2014. Available at http://www.aha.org/content/14/140408--fbipin-healthsyscyberintrud.pdf .

'Fifth Annual Study on Medical Identity Theft', Ponemon Institute, February 2015. Available at http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf .

'Hacking Healthcare IT in 2016. Lessons the Healthcare Industry Can Learn from the OPM Breach', Institute for Critical Infrastructure Technology, January 2016. Available at http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-2016.pdf .

'Healthcare and Public Health Cybersecurity Primer: Cybersecurity 101', Public Health Emergency. Available at http://www.phe.gov/Preparedness/planning/cip/Documents/cybersecurity-primer.pdf .

'Healthcare Email Phishing Scam Claims 946 Victims', HIPPA Journal, 9 December 2015. Available at http://www.hipaajournal.com/healthcare-email-phishing-scam-claims-946-victims-8209/ .

'Healthcare.gov. Actions Needed to Enhance Information Security and Privacy Controls', United States Government Accountability Office, March 2016. Available at http://www.gao.gov/assets/680/676003.pdf .

Hicks, S., 'Russian hackers hold Gold Coast doctors to ransom', ABC News, 20 December 2012. Available at
http://www.abc.net.au/news/2012-12-10/hackers-target-gold-coast-medical-centre/4418676
.

Humer, C. and Finkle, J., 'Healthcare Firms at Risk; Hackers Value Medical Records Over Credit Data', Insurance Journal, 26 September 2014. Available at
http://www.insurancejournal.com/news/national/2014/09/26/341691.htm
.

Humer, C. and Finkle, J., 'Your medical record is worth more to hackers than your credit card', Reuters, 24 September 2014. Available at http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 .

Hunter, M., 'Tax-refund fraud to hit $21 billion, and there's little the IRS can do', CNBC, 11 February 2015. Available at http://www.cnbc.com/2015/02/11/tax-refund-fraud-to-hit-21-billion-and-theres-little-the-irs-can-do.html .

'Identity Theft', Office of the Inspector General, Social Security Administration. Available at https://oig.ssa.gov/report-fraud-waste-or-abuse/what-cant-oig-investigate/identity-theft .

Millman, R., 'Vulnerabilities in healthcare devices show up woeful lack of security', SC Magazine, 19 February 2016. Available at http://www.scmagazineuk.com/vulnerabilities-in-healthcare-devices-show-up-woeful-lack-of-security/article/477919/ .

Moyer, J. W., 'After computer hack, L.A. hospital pays $17,000 in Bitcoin ransom to get back medical records', The Washington Post, 18 February 2016. Available at https://www.washingtonpost.com/news/morning-mix/wp/2016/02/18/after-computer-hack-l-a-hospital-pays-17000-in-bitcoin-ransom-to-get-back-medical-records/

Murdock, J., 'Obamacare website Healthcare.gov endured over 300 hacking attempts in 18 months', International Business Times, 24 March 2016. Available at http://www.ibtimes.co.uk/obamacare-website-healthcare-gov-endured-over-300-hacking-attempts-18-months-1551449 .

'Reduce Exposure to Claims Fraud with Integration of Public Records', LexisNexis, January 2014. Available at https://www.lexisnexis.com/risk/insights/health-care-public-records.aspx .

Sankin, A., 'Inside the black markets for your stolen credit cards', The Kernel. Available at http://kernelmag.dailydot.com/issue-sections/features-issue-sections/10362/inside-the-black-markets-for-your-stolen-credit-cards/ .

Vinayak, A., '5 Most Common Ways SSN ID Theft And Fraud Happen', AuthenticID, 16 September 2014. Available at http://authenticid.co/blog/2014/09/16/5-most-common-ways-ssn-id-theft-and-fraud-happen/ .

Wagstaff, J., 'Medical data, cybercriminals' holy grail, now espionage target', Reuters, 5 June 2015. Available at http://www.reuters.com/article/cybersecurity-usa-targets-idUSL3N0YR30R20150605 .

Ward, A., 'Healthcare sector warned to be alert for hack attacks of networks and devices', Financial Times, 2 March 2016. Available at https://next.ft.com/content/094499f8-be89-11e5-9fdb-87b8d15baec2

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.